[v2,0/5] Enable root to update the blacklist keyring

Message ID	20201211190330.2586116-1-mic@digikod.net (mailing list archive)
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net> To: David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Jarkko Sakkinen <jarkko@kernel.org> Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, "David S . Miller" <davem@davemloft.net>, Herbert Xu <herbert@gondor.apana.org.au>, James Morris <jmorris@namei.org>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@linux.microsoft.com>, Mimi Zohar <zohar@linux.ibm.com>, "Serge E . Hallyn" <serge@hallyn.com>, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 0/5] Enable root to update the blacklist keyring Date: Fri, 11 Dec 2020 20:03:25 +0100 Message-Id: <20201211190330.2586116-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Enable root to update the blacklist keyring \| expand [v2,0/5] Enable root to update the blacklist keyring [v2,1/5] certs: Make blacklist_vet_description() more strict [v2,2/5] certs: Factor out the blacklist hash creation [v2,3/5] certs: Check that builtin blacklist hashes are valid [v2,4/5] certs: Allow root user to append signed hashes to the blacklist keyring [v2,5/5] tools/certs: Add print-cert-tbs-hash.sh

Message ID

20201211190330.2586116-1-mic@digikod.net (mailing list archive)

Headers

From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To: David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Jarkko Sakkinen <jarkko@kernel.org>
Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>,
 "David S . Miller" <davem@davemloft.net>,
 Herbert Xu <herbert@gondor.apana.org.au>, James Morris <jmorris@namei.org>,
	=?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@linux.microsoft.com>,
 Mimi Zohar <zohar@linux.ibm.com>, "Serge E . Hallyn" <serge@hallyn.com>,
 keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-security-module@vger.kernel.org
Subject: [PATCH v2 0/5] Enable root to update the blacklist keyring
Date: Fri, 11 Dec 2020 20:03:25 +0100
Message-Id: <20201211190330.2586116-1-mic@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Enable root to update the blacklist keyring | expand

Message

Mickaël Salaün Dec. 11, 2020, 7:03 p.m. UTC

Hi,

This second patch series includes some minor fixes and remove the 4 fix
patches picked by David Howells.  This patch series can then be applied
on top of
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes

The goal of these patches is to add a new configuration option to enable
the root user to load signed keys in the blacklist keyring.  This
keyring is useful to "untrust" certificates or files.  Enabling to
safely update this keyring without recompiling the kernel makes it more
usable.

Previous patch series:
https://lore.kernel.org/lkml/20201120180426.922572-1-mic@digikod.net/

Regards,

Mickaël Salaün (5):
  certs: Make blacklist_vet_description() more strict
  certs: Factor out the blacklist hash creation
  certs: Check that builtin blacklist hashes are valid
  certs: Allow root user to append signed hashes to the blacklist
    keyring
  tools/certs: Add print-cert-tbs-hash.sh

 MAINTAINERS                                   |   2 +
 certs/.gitignore                              |   1 +
 certs/Kconfig                                 |  10 +
 certs/Makefile                                |  15 +-
 certs/blacklist.c                             | 202 ++++++++++++++----
 crypto/asymmetric_keys/x509_public_key.c      |   3 +-
 include/keys/system_keyring.h                 |  14 +-
 scripts/check-blacklist-hashes.awk            |  37 ++++
 .../platform_certs/keyring_handler.c          |  26 +--
 tools/certs/print-cert-tbs-hash.sh            |  91 ++++++++
 10 files changed, 326 insertions(+), 75 deletions(-)
 create mode 100755 scripts/check-blacklist-hashes.awk
 create mode 100755 tools/certs/print-cert-tbs-hash.sh


base-commit: 1b91ea77dfeb2c5924ab940f2e43177c78a37d8f

Comments

Mickaël Salaün Jan. 5, 2021, 10:12 a.m. UTC | #1

Jarkko, David, what is the status of this patch series? Do you need help
to test it?

On 11/12/2020 20:03, Mickaël Salaün wrote:
> Hi,
> 
> This second patch series includes some minor fixes and remove the 4 fix
> patches picked by David Howells.  This patch series can then be applied
> on top of
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
> 
> The goal of these patches is to add a new configuration option to enable
> the root user to load signed keys in the blacklist keyring.  This
> keyring is useful to "untrust" certificates or files.  Enabling to
> safely update this keyring without recompiling the kernel makes it more
> usable.
> 
> Previous patch series:
> https://lore.kernel.org/lkml/20201120180426.922572-1-mic@digikod.net/
> 
> Regards,
> 
> Mickaël Salaün (5):
>   certs: Make blacklist_vet_description() more strict
>   certs: Factor out the blacklist hash creation
>   certs: Check that builtin blacklist hashes are valid
>   certs: Allow root user to append signed hashes to the blacklist
>     keyring
>   tools/certs: Add print-cert-tbs-hash.sh
> 
>  MAINTAINERS                                   |   2 +
>  certs/.gitignore                              |   1 +
>  certs/Kconfig                                 |  10 +
>  certs/Makefile                                |  15 +-
>  certs/blacklist.c                             | 202 ++++++++++++++----
>  crypto/asymmetric_keys/x509_public_key.c      |   3 +-
>  include/keys/system_keyring.h                 |  14 +-
>  scripts/check-blacklist-hashes.awk            |  37 ++++
>  .../platform_certs/keyring_handler.c          |  26 +--
>  tools/certs/print-cert-tbs-hash.sh            |  91 ++++++++
>  10 files changed, 326 insertions(+), 75 deletions(-)
>  create mode 100755 scripts/check-blacklist-hashes.awk
>  create mode 100755 tools/certs/print-cert-tbs-hash.sh
> 
> 
> base-commit: 1b91ea77dfeb2c5924ab940f2e43177c78a37d8f
>

Jarkko Sakkinen Jan. 10, 2021, 4:57 a.m. UTC | #2

On Tue, Jan 05, 2021 at 11:12:57AM +0100, Mickaël Salaün wrote:
> Jarkko, David, what is the status of this patch series? Do you need help
> to test it?

Hi, a leave/vacation and the holiday period badly mixed my schedules.

I'm testing this upcoming week.

/Jarkko

Jarkko Sakkinen Jan. 14, 2021, 4:15 a.m. UTC | #3

On Sun, Jan 10, 2021 at 06:57:10AM +0200, Jarkko Sakkinen wrote:
> On Tue, Jan 05, 2021 at 11:12:57AM +0100, Mickaël Salaün wrote:
> > Jarkko, David, what is the status of this patch series? Do you need help
> > to test it?
> 
> Hi, a leave/vacation and the holiday period badly mixed my schedules.
> 
> I'm testing this upcoming week.
> 
> /Jarkko

❯ git-pw series apply 400795
Applying: certs: Make blacklist_vet_description() more strict
error: sha1 information is lacking or useless (certs/blacklist.c).
error: could not build fake ancestor
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 certs: Make blacklist_vet_description() more strict
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Can you rebase to rc3 and resend? 

Also, please add this to the patches 1-3:

Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

Also, 4-5 look good but I hold for testing before acking further.

Thanks, and apologies for such a long wait.

/Jarkko